Mixing
![On the spotlight for being too vocal/assertive [closed]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjbpfN9tAutmK93bJRC3ZoROZzi2TJDms5n8_qJuhgE0a9b52OOHayv3NGT8igAdFL7byXNst-_1DZK5SjrIJ28_6RQPUpBROqMs5s6jo-ZsjX8kjDwfxJufIitH3TaQRXWaGSQKRQib-f/s72-c/1.jpg)
best way to prevent usage of mobile phones inside workplace [closed]
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
0
down vote
favorite
In a recent audit by one of our client they advised to block mobile phones inside office campus since the client fears that employees will take snapshots of client data,So we decided to block the usage of cellphones inside campus
what would be the best way to implement it,The problems which we might face were :
- the employees cant attend emergency calls from unknown numbers
- the employees cant attend emergency client calls
we thought of implementing cellphone jammer but many of employees were handling clients through mobile phones,
but in other side if we allow mobile phones inside campus for the employees whom attending client calls will raise discrimination b/w employees
possible solutions we discussed were :
- Providing seperate numbers for clients
- implementing cellphone jammer(optional doesnt consider it,its suggested by one of the employees so we kept as a suggestion)
other than above,what would be the best method to implement it?
work-environment work-life-balance phone
asked Jul 22 '15 at 12:33
BlueBerry - Vignesh4303
1125
closed as off-topic by gnat, Masked Man♦, jcmeloni, The Wandering Dev Manager, IDrinkandIKnowThings Jul 22 '15 at 15:28
This question appears to be off-topic. The users who voted to close gave these specific reasons:
- "Questions asking for advice on what to do are not practical answerable questions (e.g. "what job should I take?", or "what skills should I learn?"). Questions should get answers explaining why and how to make a decision, not advice on what to do. For more information, click here." – jcmeloni, IDrinkandIKnowThings
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, Masked Man, The Wandering Dev Manager
 |Â
show 16 more comments
up vote
0
down vote
favorite
In a recent audit by one of our client they advised to block mobile phones inside office campus since the client fears that employees will take snapshots of client data,So we decided to block the usage of cellphones inside campus
what would be the best way to implement it,The problems which we might face were :
- the employees cant attend emergency calls from unknown numbers
- the employees cant attend emergency client calls
we thought of implementing cellphone jammer but many of employees were handling clients through mobile phones,
but in other side if we allow mobile phones inside campus for the employees whom attending client calls will raise discrimination b/w employees
possible solutions we discussed were :
- Providing seperate numbers for clients
- implementing cellphone jammer(optional doesnt consider it,its suggested by one of the employees so we kept as a suggestion)
other than above,what would be the best method to implement it?
work-environment work-life-balance phone
asked Jul 22 '15 at 12:33
BlueBerry - Vignesh4303
1125
closed as off-topic by gnat, Masked Man♦, jcmeloni, The Wandering Dev Manager, IDrinkandIKnowThings Jul 22 '15 at 15:28
This question appears to be off-topic. The users who voted to close gave these specific reasons:
- "Questions asking for advice on what to do are not practical answerable questions (e.g. "what job should I take?", or "what skills should I learn?"). Questions should get answers explaining why and how to make a decision, not advice on what to do. For more information, click here." – jcmeloni, IDrinkandIKnowThings
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, Masked Man, The Wandering Dev Manager
15
Just out of curiosity, how does a cell phone jammer stop the phone's camera? If the concern is actually that employees will take pictures of client data, then you're going to have to search every employee as they come through the door.
– Joel Etherton
Jul 22 '15 at 12:40
7
If your problem is mobile phone cameras why do you think connectivity is relevant? Also, frequency jamming is illegal in a lot of jurisdictions anyway.
– Nathan Cooper
Jul 22 '15 at 12:43
11
Refuse the request, trust your employees, and put severe consequences in place for anyone caught photographing sensitive materials. This kind of problem is typically the domain of defense contractors handling "top secret" info-- they're somewhat justified in taking draconian approaches, but unless you're handling life or death issues, it would be ridiculous to ban phones.
– teego1967
Jul 22 '15 at 12:53
2
@JoelEtherton Yes. Maybe I'm not familiar with the available technology, but my understanding is that cell phone jammers would stop people from making or receiving cell phone calls. They would do nothing to prevent someone from taking a picture. Your proposed solution creates a whole bunch of problems, while doing absolutely zero to solve the original problem. If the problem was that employees were spending a lot of time on personal calls, a cell phone jammer would be a plausible solution.
– Jay
Jul 22 '15 at 13:08
2
RE "Employees gradually think it is no use bringing mobile phones inside" This would only apply to employees who want to use their mobile phones to make calls. If an employee is planning on using the camera to steal proprietary information, the fact that he can't make calls is irrelevant. So the policy is only effective against employees who have no plans to do the thing that you're really worried about, while having no effect on any who might actually be a problem. Unless, I suppose, your fear is that employees will ACCIDENTALLY photograph sensitive information while taking selfies.
– Jay
Jul 22 '15 at 13:15
 |Â
show 16 more comments
up vote
0
down vote
favorite
up vote
0
down vote
favorite
In a recent audit by one of our client they advised to block mobile phones inside office campus since the client fears that employees will take snapshots of client data,So we decided to block the usage of cellphones inside campus
what would be the best way to implement it,The problems which we might face were :
- the employees cant attend emergency calls from unknown numbers
- the employees cant attend emergency client calls
we thought of implementing cellphone jammer but many of employees were handling clients through mobile phones,
but in other side if we allow mobile phones inside campus for the employees whom attending client calls will raise discrimination b/w employees
possible solutions we discussed were :
- Providing seperate numbers for clients
- implementing cellphone jammer(optional doesnt consider it,its suggested by one of the employees so we kept as a suggestion)
other than above,what would be the best method to implement it?
work-environment work-life-balance phone
asked Jul 22 '15 at 12:33
BlueBerry - Vignesh4303
1125
In a recent audit by one of our client they advised to block mobile phones inside office campus since the client fears that employees will take snapshots of client data,So we decided to block the usage of cellphones inside campus
what would be the best way to implement it,The problems which we might face were :
- the employees cant attend emergency calls from unknown numbers
- the employees cant attend emergency client calls
we thought of implementing cellphone jammer but many of employees were handling clients through mobile phones,
but in other side if we allow mobile phones inside campus for the employees whom attending client calls will raise discrimination b/w employees
possible solutions we discussed were :
- Providing seperate numbers for clients
- implementing cellphone jammer(optional doesnt consider it,its suggested by one of the employees so we kept as a suggestion)
other than above,what would be the best method to implement it?
work-environment work-life-balance phone
asked Jul 22 '15 at 12:33
BlueBerry - Vignesh4303
1125
edited Jul 22 '15 at 12:53
asked Jul 22 '15 at 12:33
BlueBerry - Vignesh4303
1125
asked Jul 22 '15 at 12:33
BlueBerry - Vignesh4303
1125
asked Jul 22 '15 at 12:33
BlueBerry - Vignesh4303
1125
1125
closed as off-topic by gnat, Masked Man♦, jcmeloni, The Wandering Dev Manager, IDrinkandIKnowThings Jul 22 '15 at 15:28
This question appears to be off-topic. The users who voted to close gave these specific reasons:
- "Questions asking for advice on what to do are not practical answerable questions (e.g. "what job should I take?", or "what skills should I learn?"). Questions should get answers explaining why and how to make a decision, not advice on what to do. For more information, click here." – jcmeloni, IDrinkandIKnowThings
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, Masked Man, The Wandering Dev Manager
closed as off-topic by gnat, Masked Man♦, jcmeloni, The Wandering Dev Manager, IDrinkandIKnowThings Jul 22 '15 at 15:28
This question appears to be off-topic. The users who voted to close gave these specific reasons:
- "Questions asking for advice on what to do are not practical answerable questions (e.g. "what job should I take?", or "what skills should I learn?"). Questions should get answers explaining why and how to make a decision, not advice on what to do. For more information, click here." – jcmeloni, IDrinkandIKnowThings
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – gnat, Masked Man, The Wandering Dev Manager
15
Just out of curiosity, how does a cell phone jammer stop the phone's camera? If the concern is actually that employees will take pictures of client data, then you're going to have to search every employee as they come through the door.
– Joel Etherton
Jul 22 '15 at 12:40
7
If your problem is mobile phone cameras why do you think connectivity is relevant? Also, frequency jamming is illegal in a lot of jurisdictions anyway.
– Nathan Cooper
Jul 22 '15 at 12:43
11
Refuse the request, trust your employees, and put severe consequences in place for anyone caught photographing sensitive materials. This kind of problem is typically the domain of defense contractors handling "top secret" info-- they're somewhat justified in taking draconian approaches, but unless you're handling life or death issues, it would be ridiculous to ban phones.
– teego1967
Jul 22 '15 at 12:53
2
@JoelEtherton Yes. Maybe I'm not familiar with the available technology, but my understanding is that cell phone jammers would stop people from making or receiving cell phone calls. They would do nothing to prevent someone from taking a picture. Your proposed solution creates a whole bunch of problems, while doing absolutely zero to solve the original problem. If the problem was that employees were spending a lot of time on personal calls, a cell phone jammer would be a plausible solution.
– Jay
Jul 22 '15 at 13:08
2
RE "Employees gradually think it is no use bringing mobile phones inside" This would only apply to employees who want to use their mobile phones to make calls. If an employee is planning on using the camera to steal proprietary information, the fact that he can't make calls is irrelevant. So the policy is only effective against employees who have no plans to do the thing that you're really worried about, while having no effect on any who might actually be a problem. Unless, I suppose, your fear is that employees will ACCIDENTALLY photograph sensitive information while taking selfies.
– Jay
Jul 22 '15 at 13:15
 |Â
show 16 more comments
15
Just out of curiosity, how does a cell phone jammer stop the phone's camera? If the concern is actually that employees will take pictures of client data, then you're going to have to search every employee as they come through the door.
– Joel Etherton
Jul 22 '15 at 12:40
7
If your problem is mobile phone cameras why do you think connectivity is relevant? Also, frequency jamming is illegal in a lot of jurisdictions anyway.
– Nathan Cooper
Jul 22 '15 at 12:43
11
Refuse the request, trust your employees, and put severe consequences in place for anyone caught photographing sensitive materials. This kind of problem is typically the domain of defense contractors handling "top secret" info-- they're somewhat justified in taking draconian approaches, but unless you're handling life or death issues, it would be ridiculous to ban phones.
– teego1967
Jul 22 '15 at 12:53
2
@JoelEtherton Yes. Maybe I'm not familiar with the available technology, but my understanding is that cell phone jammers would stop people from making or receiving cell phone calls. They would do nothing to prevent someone from taking a picture. Your proposed solution creates a whole bunch of problems, while doing absolutely zero to solve the original problem. If the problem was that employees were spending a lot of time on personal calls, a cell phone jammer would be a plausible solution.
– Jay
Jul 22 '15 at 13:08
2
RE "Employees gradually think it is no use bringing mobile phones inside" This would only apply to employees who want to use their mobile phones to make calls. If an employee is planning on using the camera to steal proprietary information, the fact that he can't make calls is irrelevant. So the policy is only effective against employees who have no plans to do the thing that you're really worried about, while having no effect on any who might actually be a problem. Unless, I suppose, your fear is that employees will ACCIDENTALLY photograph sensitive information while taking selfies.
– Jay
Jul 22 '15 at 13:15
15
15
Just out of curiosity, how does a cell phone jammer stop the phone's camera? If the concern is actually that employees will take pictures of client data, then you're going to have to search every employee as they come through the door.
– Joel Etherton
Jul 22 '15 at 12:40
Just out of curiosity, how does a cell phone jammer stop the phone's camera? If the concern is actually that employees will take pictures of client data, then you're going to have to search every employee as they come through the door.
– Joel Etherton
Jul 22 '15 at 12:40
7
7
If your problem is mobile phone cameras why do you think connectivity is relevant? Also, frequency jamming is illegal in a lot of jurisdictions anyway.
– Nathan Cooper
Jul 22 '15 at 12:43
If your problem is mobile phone cameras why do you think connectivity is relevant? Also, frequency jamming is illegal in a lot of jurisdictions anyway.
– Nathan Cooper
Jul 22 '15 at 12:43
11
11
Refuse the request, trust your employees, and put severe consequences in place for anyone caught photographing sensitive materials. This kind of problem is typically the domain of defense contractors handling "top secret" info-- they're somewhat justified in taking draconian approaches, but unless you're handling life or death issues, it would be ridiculous to ban phones.
– teego1967
Jul 22 '15 at 12:53
Refuse the request, trust your employees, and put severe consequences in place for anyone caught photographing sensitive materials. This kind of problem is typically the domain of defense contractors handling "top secret" info-- they're somewhat justified in taking draconian approaches, but unless you're handling life or death issues, it would be ridiculous to ban phones.
– teego1967
Jul 22 '15 at 12:53
2
2
@JoelEtherton Yes. Maybe I'm not familiar with the available technology, but my understanding is that cell phone jammers would stop people from making or receiving cell phone calls. They would do nothing to prevent someone from taking a picture. Your proposed solution creates a whole bunch of problems, while doing absolutely zero to solve the original problem. If the problem was that employees were spending a lot of time on personal calls, a cell phone jammer would be a plausible solution.
– Jay
Jul 22 '15 at 13:08
@JoelEtherton Yes. Maybe I'm not familiar with the available technology, but my understanding is that cell phone jammers would stop people from making or receiving cell phone calls. They would do nothing to prevent someone from taking a picture. Your proposed solution creates a whole bunch of problems, while doing absolutely zero to solve the original problem. If the problem was that employees were spending a lot of time on personal calls, a cell phone jammer would be a plausible solution.
– Jay
Jul 22 '15 at 13:08
2
2
RE "Employees gradually think it is no use bringing mobile phones inside" This would only apply to employees who want to use their mobile phones to make calls. If an employee is planning on using the camera to steal proprietary information, the fact that he can't make calls is irrelevant. So the policy is only effective against employees who have no plans to do the thing that you're really worried about, while having no effect on any who might actually be a problem. Unless, I suppose, your fear is that employees will ACCIDENTALLY photograph sensitive information while taking selfies.
– Jay
Jul 22 '15 at 13:15
RE "Employees gradually think it is no use bringing mobile phones inside" This would only apply to employees who want to use their mobile phones to make calls. If an employee is planning on using the camera to steal proprietary information, the fact that he can't make calls is irrelevant. So the policy is only effective against employees who have no plans to do the thing that you're really worried about, while having no effect on any who might actually be a problem. Unless, I suppose, your fear is that employees will ACCIDENTALLY photograph sensitive information while taking selfies.
– Jay
Jul 22 '15 at 13:15
 |Â
show 16 more comments
5 Answers
5
active
oldest
votes
up vote
8
down vote
accepted
I would push back and question the assumptions behind the requirement.
Assuming employees have access to customer data on their computers, there are countless other ways to "smuggle" out data. For example, they can take screenshots (the ability to do this is built into most all OS's), or copy and paste as text, or export into another format; or just plain old save to disk, etc; then send out via email, or paste into a web form, or copy onto a USB key, or transfer via Bluetooth, etc. There was a case a while back (can't remember the details) where somebody copied confidential data into drafts of emails, then copied the drafts outside the office and deleted them -- hey presto, data out, no traces whatseoever.
And a nefarious, technically skilled and/or professional adversary will come up with lots more: for starters, have you seen the kind of places you can hide a camera these days?
So unless you're willing to go full-on Pentagon when it comes to your security measures (body searches on entry and exit, airgapped network, completely locked down workstations, regular sweeps for rogue wifi and other transmitting devices, etc) and bear the costs, telling employees that they can't use/bring in their mobiles is just going to sap productivity, lower morale, waste time and cost money, all without addressing the actual problem.
Convincing the customer about this will, of course, be the tricky part. You could tell them that you care about their security, and you're willing to implement the Pentagon-style security if they're willing to pay for it, here's how much it will cost you. Or you could adopt a fig leaf approach: bundle the people working on super secret customer data into a separate room and make them all swear a super secret pinky promise to leave their phones in the magic basket outside when they enter.
answered Jul 22 '15 at 13:22
jpatokal
6,58222233
1
The OP didn't say who the client is or what data they are protecting, they may be legally obligated to comply in order to keep the contract.
– kleineg
Jul 22 '15 at 13:25
2
@kleineg Everything in business is negotiable. If they have no leverage, use the "fig leaf" approach above and comply with the letter of the requirement.
– jpatokal
Jul 22 '15 at 13:27
1
A separate room with different security protocols is an excellent idea. For example, a company I worked for had two contracts with very different entities. For the one there was specifications on what sort of lock was on the door, how much sound could escape the walls, the workstations were locked down, there was a guard with a cellphone detector and log in sheet, and all employees had clearance. This was all specified and required for the contract. The employees on the other contract could carry cell phones and standard background check... as long as they stayed where they were supposed to.
– kleineg
Jul 22 '15 at 13:53
@kleineg OP states "advised"
– paparazzo
Jul 22 '15 at 13:54
1
A separate room with different security protocols is exactly how the government handles its sensitive information.
– David K
Mar 9 '17 at 18:35
suggest improvements |Â
up vote
2
down vote
A lot of the answers assume this is a management want rather than a requirement. If this absolutely has to be done, limit the physical area where data can be accessed, install an actual securtiy gaurd who has a locking set of cabinets that the cell phones go in, establish and enforce consequences for breaking security protocol.
answered Jul 22 '15 at 13:54
Myles
25.4k658104
1
Having worked for DoD in a building that contained highly classified information, yes this is what it takes. However, if the client is anyone except DoD or a similar agency that handles classified information, I would at least try to push back the requirement by telling them that if they want that level of security, they will have to pay the salary of the security guard and any costs of making building and network changes to ensure the data can only be accessed in the secure space.
– HLGEM
Jul 22 '15 at 15:15
And to be sure the data was not being stolen, they would also have to check all papers removed from the space (you could hand write the data you wanted to steal) and ensure no other types of data recording devices (thumb drives, backup tapes, etc.) are removed from the room except physical, encrypted backup tapes being sent to an offsite location.
– HLGEM
Jul 22 '15 at 15:19
suggest improvements |Â
up vote
1
down vote
But that audit point is just silly. When you consider the risk profile of protecting data that alone does nothing. That is just someone coming up with an audit point.
In a recent audit by one of our client they advised to block mobile
phones inside office campus.
There are two problems with that.
- Mobile phone are not the only way to take a snapshot
- If the data is available inside office campus that alone is the bigger risk profile
Even silly I bet the client meant block a cell phone physically not just block usage.
A serious security audit would have items like
- Do you have a training program regarding customer data security and
confidentiality - Do employees sign a customer data security and confidentiality
policy - Do you perform a background check on all emplyees
- Do you limit employee access to customer data to only those on the
project - Do you have an audit trail of which employees accessed customer data
It is not reasonable to secure a campus of cell phone nor restrict an employee from a cell phone at their desk.
If the data is that confidential then the data should be restricted to a clean room void of printers and USB devices. Restricted access and no recording devices.
If data is available on the general campus then restricting cell phones is not going to protect data if someone wants to copy it.
As for the direct question "how to implement it?".
If it is block cell phones on the campus then don't.
Tell the customer that block cell phone on the entire campus is not readily enforceable and puts an undue burden on employees. Don't add it does not really secure the data.
Propose another reasonable security policy and practice. Or if you have a reasonable security policy and practice in place currently then just report the existing.
answered Jul 22 '15 at 15:14
paparazzo
33.3k657106
suggest improvements |Â
up vote
1
down vote
Cell phone jammers are illegal in many jurisdictions, and would not stop pictures from being taken. However cell phone detectors are fairly straightforward to buy and use. Post a detector at each entrance and ask people stopped entering with a cellphone to leave it in their cars. Once inside, either issue a cell phone without a camera to each person who needs it, or use land lines. Depending on the client and the data, they may be under legal restrictions on how secure the data must be. For example a government contractor handling classified material must implement safeguards.
answered Jul 22 '15 at 13:21
kleineg
926622
suggest improvements |Â
up vote
0
down vote
Based on the comment replies and the question itself, this sounds very much like a management team attempting to formulate policy on topics for which they have absolutely no understanding either of the technology or of the actual risk being mitigated.
Unless this client has deep, deep pockets and "drives" the business (meaning that if this client were to leave it would be extremely disastrous), the expense to enforce such a restriction is prohibitive. However, if the risk is genuine and affects all clients, then it might just need to be implemented anyway simply to avoid the possibility of harmful litigation or industrial damage (such as the leaking of trade secrets or proprietary information).
Short of putting in metal detectors and security personnel to perform searches of employees both entering and exiting the facilities, the only real deterrent will be monitoring and punishment. People who come in contact with sensitive data will need to be made aware of their responsibilities and the repercussions of disseminating that information through any means (cell phone or not).
If your management puts in a policy of "no phones on campus", then there must be strict punishment guidelines and security personnel should be given the equipment necessary to to monitor work areas. There are several precedents for these kinds of policies. Both Microsoft and Apple have similar policies regarding the taking of pictures on their campuses, and they've been moderately successful at maintaining these policies.
answered Jul 22 '15 at 13:11
Joel Etherton
8,1062838
suggest improvements |Â
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
8
down vote
accepted
I would push back and question the assumptions behind the requirement.
Assuming employees have access to customer data on their computers, there are countless other ways to "smuggle" out data. For example, they can take screenshots (the ability to do this is built into most all OS's), or copy and paste as text, or export into another format; or just plain old save to disk, etc; then send out via email, or paste into a web form, or copy onto a USB key, or transfer via Bluetooth, etc. There was a case a while back (can't remember the details) where somebody copied confidential data into drafts of emails, then copied the drafts outside the office and deleted them -- hey presto, data out, no traces whatseoever.
And a nefarious, technically skilled and/or professional adversary will come up with lots more: for starters, have you seen the kind of places you can hide a camera these days?
So unless you're willing to go full-on Pentagon when it comes to your security measures (body searches on entry and exit, airgapped network, completely locked down workstations, regular sweeps for rogue wifi and other transmitting devices, etc) and bear the costs, telling employees that they can't use/bring in their mobiles is just going to sap productivity, lower morale, waste time and cost money, all without addressing the actual problem.
Convincing the customer about this will, of course, be the tricky part. You could tell them that you care about their security, and you're willing to implement the Pentagon-style security if they're willing to pay for it, here's how much it will cost you. Or you could adopt a fig leaf approach: bundle the people working on super secret customer data into a separate room and make them all swear a super secret pinky promise to leave their phones in the magic basket outside when they enter.
answered Jul 22 '15 at 13:22
jpatokal
6,58222233
1
The OP didn't say who the client is or what data they are protecting, they may be legally obligated to comply in order to keep the contract.
– kleineg
Jul 22 '15 at 13:25
2
@kleineg Everything in business is negotiable. If they have no leverage, use the "fig leaf" approach above and comply with the letter of the requirement.
– jpatokal
Jul 22 '15 at 13:27
1
A separate room with different security protocols is an excellent idea. For example, a company I worked for had two contracts with very different entities. For the one there was specifications on what sort of lock was on the door, how much sound could escape the walls, the workstations were locked down, there was a guard with a cellphone detector and log in sheet, and all employees had clearance. This was all specified and required for the contract. The employees on the other contract could carry cell phones and standard background check... as long as they stayed where they were supposed to.
– kleineg
Jul 22 '15 at 13:53
@kleineg OP states "advised"
– paparazzo
Jul 22 '15 at 13:54
1
A separate room with different security protocols is exactly how the government handles its sensitive information.
– David K
Mar 9 '17 at 18:35
suggest improvements |Â
up vote
8
down vote
accepted
I would push back and question the assumptions behind the requirement.
Assuming employees have access to customer data on their computers, there are countless other ways to "smuggle" out data. For example, they can take screenshots (the ability to do this is built into most all OS's), or copy and paste as text, or export into another format; or just plain old save to disk, etc; then send out via email, or paste into a web form, or copy onto a USB key, or transfer via Bluetooth, etc. There was a case a while back (can't remember the details) where somebody copied confidential data into drafts of emails, then copied the drafts outside the office and deleted them -- hey presto, data out, no traces whatseoever.
And a nefarious, technically skilled and/or professional adversary will come up with lots more: for starters, have you seen the kind of places you can hide a camera these days?
So unless you're willing to go full-on Pentagon when it comes to your security measures (body searches on entry and exit, airgapped network, completely locked down workstations, regular sweeps for rogue wifi and other transmitting devices, etc) and bear the costs, telling employees that they can't use/bring in their mobiles is just going to sap productivity, lower morale, waste time and cost money, all without addressing the actual problem.
Convincing the customer about this will, of course, be the tricky part. You could tell them that you care about their security, and you're willing to implement the Pentagon-style security if they're willing to pay for it, here's how much it will cost you. Or you could adopt a fig leaf approach: bundle the people working on super secret customer data into a separate room and make them all swear a super secret pinky promise to leave their phones in the magic basket outside when they enter.
answered Jul 22 '15 at 13:22
jpatokal
6,58222233
1
The OP didn't say who the client is or what data they are protecting, they may be legally obligated to comply in order to keep the contract.
– kleineg
Jul 22 '15 at 13:25
2
@kleineg Everything in business is negotiable. If they have no leverage, use the "fig leaf" approach above and comply with the letter of the requirement.
– jpatokal
Jul 22 '15 at 13:27
1
A separate room with different security protocols is an excellent idea. For example, a company I worked for had two contracts with very different entities. For the one there was specifications on what sort of lock was on the door, how much sound could escape the walls, the workstations were locked down, there was a guard with a cellphone detector and log in sheet, and all employees had clearance. This was all specified and required for the contract. The employees on the other contract could carry cell phones and standard background check... as long as they stayed where they were supposed to.
– kleineg
Jul 22 '15 at 13:53
@kleineg OP states "advised"
– paparazzo
Jul 22 '15 at 13:54
1
A separate room with different security protocols is exactly how the government handles its sensitive information.
– David K
Mar 9 '17 at 18:35
suggest improvements |Â
up vote
8
down vote
accepted
up vote
8
down vote
accepted
I would push back and question the assumptions behind the requirement.
Assuming employees have access to customer data on their computers, there are countless other ways to "smuggle" out data. For example, they can take screenshots (the ability to do this is built into most all OS's), or copy and paste as text, or export into another format; or just plain old save to disk, etc; then send out via email, or paste into a web form, or copy onto a USB key, or transfer via Bluetooth, etc. There was a case a while back (can't remember the details) where somebody copied confidential data into drafts of emails, then copied the drafts outside the office and deleted them -- hey presto, data out, no traces whatseoever.
And a nefarious, technically skilled and/or professional adversary will come up with lots more: for starters, have you seen the kind of places you can hide a camera these days?
So unless you're willing to go full-on Pentagon when it comes to your security measures (body searches on entry and exit, airgapped network, completely locked down workstations, regular sweeps for rogue wifi and other transmitting devices, etc) and bear the costs, telling employees that they can't use/bring in their mobiles is just going to sap productivity, lower morale, waste time and cost money, all without addressing the actual problem.
Convincing the customer about this will, of course, be the tricky part. You could tell them that you care about their security, and you're willing to implement the Pentagon-style security if they're willing to pay for it, here's how much it will cost you. Or you could adopt a fig leaf approach: bundle the people working on super secret customer data into a separate room and make them all swear a super secret pinky promise to leave their phones in the magic basket outside when they enter.
answered Jul 22 '15 at 13:22
jpatokal
6,58222233
I would push back and question the assumptions behind the requirement.
Assuming employees have access to customer data on their computers, there are countless other ways to "smuggle" out data. For example, they can take screenshots (the ability to do this is built into most all OS's), or copy and paste as text, or export into another format; or just plain old save to disk, etc; then send out via email, or paste into a web form, or copy onto a USB key, or transfer via Bluetooth, etc. There was a case a while back (can't remember the details) where somebody copied confidential data into drafts of emails, then copied the drafts outside the office and deleted them -- hey presto, data out, no traces whatseoever.
And a nefarious, technically skilled and/or professional adversary will come up with lots more: for starters, have you seen the kind of places you can hide a camera these days?
So unless you're willing to go full-on Pentagon when it comes to your security measures (body searches on entry and exit, airgapped network, completely locked down workstations, regular sweeps for rogue wifi and other transmitting devices, etc) and bear the costs, telling employees that they can't use/bring in their mobiles is just going to sap productivity, lower morale, waste time and cost money, all without addressing the actual problem.
Convincing the customer about this will, of course, be the tricky part. You could tell them that you care about their security, and you're willing to implement the Pentagon-style security if they're willing to pay for it, here's how much it will cost you. Or you could adopt a fig leaf approach: bundle the people working on super secret customer data into a separate room and make them all swear a super secret pinky promise to leave their phones in the magic basket outside when they enter.
answered Jul 22 '15 at 13:22
jpatokal
6,58222233
edited Jul 22 '15 at 13:26
answered Jul 22 '15 at 13:22
jpatokal
6,58222233
answered Jul 22 '15 at 13:22
jpatokal
6,58222233
answered Jul 22 '15 at 13:22
jpatokal
6,58222233
6,58222233
1
The OP didn't say who the client is or what data they are protecting, they may be legally obligated to comply in order to keep the contract.
– kleineg
Jul 22 '15 at 13:25
2
@kleineg Everything in business is negotiable. If they have no leverage, use the "fig leaf" approach above and comply with the letter of the requirement.
– jpatokal
Jul 22 '15 at 13:27
1
A separate room with different security protocols is an excellent idea. For example, a company I worked for had two contracts with very different entities. For the one there was specifications on what sort of lock was on the door, how much sound could escape the walls, the workstations were locked down, there was a guard with a cellphone detector and log in sheet, and all employees had clearance. This was all specified and required for the contract. The employees on the other contract could carry cell phones and standard background check... as long as they stayed where they were supposed to.
– kleineg
Jul 22 '15 at 13:53
@kleineg OP states "advised"
– paparazzo
Jul 22 '15 at 13:54
1
A separate room with different security protocols is exactly how the government handles its sensitive information.
– David K
Mar 9 '17 at 18:35
suggest improvements |Â
1
The OP didn't say who the client is or what data they are protecting, they may be legally obligated to comply in order to keep the contract.
– kleineg
Jul 22 '15 at 13:25
2
@kleineg Everything in business is negotiable. If they have no leverage, use the "fig leaf" approach above and comply with the letter of the requirement.
– jpatokal
Jul 22 '15 at 13:27
1
A separate room with different security protocols is an excellent idea. For example, a company I worked for had two contracts with very different entities. For the one there was specifications on what sort of lock was on the door, how much sound could escape the walls, the workstations were locked down, there was a guard with a cellphone detector and log in sheet, and all employees had clearance. This was all specified and required for the contract. The employees on the other contract could carry cell phones and standard background check... as long as they stayed where they were supposed to.
– kleineg
Jul 22 '15 at 13:53
@kleineg OP states "advised"
– paparazzo
Jul 22 '15 at 13:54
1
A separate room with different security protocols is exactly how the government handles its sensitive information.
– David K
Mar 9 '17 at 18:35
1
1
The OP didn't say who the client is or what data they are protecting, they may be legally obligated to comply in order to keep the contract.
– kleineg
Jul 22 '15 at 13:25
The OP didn't say who the client is or what data they are protecting, they may be legally obligated to comply in order to keep the contract.
– kleineg
Jul 22 '15 at 13:25
2
2
@kleineg Everything in business is negotiable. If they have no leverage, use the "fig leaf" approach above and comply with the letter of the requirement.
– jpatokal
Jul 22 '15 at 13:27
@kleineg Everything in business is negotiable. If they have no leverage, use the "fig leaf" approach above and comply with the letter of the requirement.
– jpatokal
Jul 22 '15 at 13:27
1
1
A separate room with different security protocols is an excellent idea. For example, a company I worked for had two contracts with very different entities. For the one there was specifications on what sort of lock was on the door, how much sound could escape the walls, the workstations were locked down, there was a guard with a cellphone detector and log in sheet, and all employees had clearance. This was all specified and required for the contract. The employees on the other contract could carry cell phones and standard background check... as long as they stayed where they were supposed to.
– kleineg
Jul 22 '15 at 13:53
A separate room with different security protocols is an excellent idea. For example, a company I worked for had two contracts with very different entities. For the one there was specifications on what sort of lock was on the door, how much sound could escape the walls, the workstations were locked down, there was a guard with a cellphone detector and log in sheet, and all employees had clearance. This was all specified and required for the contract. The employees on the other contract could carry cell phones and standard background check... as long as they stayed where they were supposed to.
– kleineg
Jul 22 '15 at 13:53
@kleineg OP states "advised"
– paparazzo
Jul 22 '15 at 13:54
@kleineg OP states "advised"
– paparazzo
Jul 22 '15 at 13:54
1
1
A separate room with different security protocols is exactly how the government handles its sensitive information.
– David K
Mar 9 '17 at 18:35
A separate room with different security protocols is exactly how the government handles its sensitive information.
– David K
Mar 9 '17 at 18:35
suggest improvements |Â
up vote
2
down vote
A lot of the answers assume this is a management want rather than a requirement. If this absolutely has to be done, limit the physical area where data can be accessed, install an actual securtiy gaurd who has a locking set of cabinets that the cell phones go in, establish and enforce consequences for breaking security protocol.
answered Jul 22 '15 at 13:54
Myles
25.4k658104
1
Having worked for DoD in a building that contained highly classified information, yes this is what it takes. However, if the client is anyone except DoD or a similar agency that handles classified information, I would at least try to push back the requirement by telling them that if they want that level of security, they will have to pay the salary of the security guard and any costs of making building and network changes to ensure the data can only be accessed in the secure space.
– HLGEM
Jul 22 '15 at 15:15
And to be sure the data was not being stolen, they would also have to check all papers removed from the space (you could hand write the data you wanted to steal) and ensure no other types of data recording devices (thumb drives, backup tapes, etc.) are removed from the room except physical, encrypted backup tapes being sent to an offsite location.
– HLGEM
Jul 22 '15 at 15:19
suggest improvements |Â
up vote
2
down vote
A lot of the answers assume this is a management want rather than a requirement. If this absolutely has to be done, limit the physical area where data can be accessed, install an actual securtiy gaurd who has a locking set of cabinets that the cell phones go in, establish and enforce consequences for breaking security protocol.
answered Jul 22 '15 at 13:54
Myles
25.4k658104
1
Having worked for DoD in a building that contained highly classified information, yes this is what it takes. However, if the client is anyone except DoD or a similar agency that handles classified information, I would at least try to push back the requirement by telling them that if they want that level of security, they will have to pay the salary of the security guard and any costs of making building and network changes to ensure the data can only be accessed in the secure space.
– HLGEM
Jul 22 '15 at 15:15
And to be sure the data was not being stolen, they would also have to check all papers removed from the space (you could hand write the data you wanted to steal) and ensure no other types of data recording devices (thumb drives, backup tapes, etc.) are removed from the room except physical, encrypted backup tapes being sent to an offsite location.
– HLGEM
Jul 22 '15 at 15:19
suggest improvements |Â
up vote
2
down vote
up vote
2
down vote
A lot of the answers assume this is a management want rather than a requirement. If this absolutely has to be done, limit the physical area where data can be accessed, install an actual securtiy gaurd who has a locking set of cabinets that the cell phones go in, establish and enforce consequences for breaking security protocol.
answered Jul 22 '15 at 13:54
Myles
25.4k658104
A lot of the answers assume this is a management want rather than a requirement. If this absolutely has to be done, limit the physical area where data can be accessed, install an actual securtiy gaurd who has a locking set of cabinets that the cell phones go in, establish and enforce consequences for breaking security protocol.
answered Jul 22 '15 at 13:54
Myles
25.4k658104
answered Jul 22 '15 at 13:54
Myles
25.4k658104
answered Jul 22 '15 at 13:54
Myles
25.4k658104
answered Jul 22 '15 at 13:54
Myles
25.4k658104
25.4k658104
1
Having worked for DoD in a building that contained highly classified information, yes this is what it takes. However, if the client is anyone except DoD or a similar agency that handles classified information, I would at least try to push back the requirement by telling them that if they want that level of security, they will have to pay the salary of the security guard and any costs of making building and network changes to ensure the data can only be accessed in the secure space.
– HLGEM
Jul 22 '15 at 15:15
And to be sure the data was not being stolen, they would also have to check all papers removed from the space (you could hand write the data you wanted to steal) and ensure no other types of data recording devices (thumb drives, backup tapes, etc.) are removed from the room except physical, encrypted backup tapes being sent to an offsite location.
– HLGEM
Jul 22 '15 at 15:19
suggest improvements |Â
1
Having worked for DoD in a building that contained highly classified information, yes this is what it takes. However, if the client is anyone except DoD or a similar agency that handles classified information, I would at least try to push back the requirement by telling them that if they want that level of security, they will have to pay the salary of the security guard and any costs of making building and network changes to ensure the data can only be accessed in the secure space.
– HLGEM
Jul 22 '15 at 15:15
And to be sure the data was not being stolen, they would also have to check all papers removed from the space (you could hand write the data you wanted to steal) and ensure no other types of data recording devices (thumb drives, backup tapes, etc.) are removed from the room except physical, encrypted backup tapes being sent to an offsite location.
– HLGEM
Jul 22 '15 at 15:19
1
1
Having worked for DoD in a building that contained highly classified information, yes this is what it takes. However, if the client is anyone except DoD or a similar agency that handles classified information, I would at least try to push back the requirement by telling them that if they want that level of security, they will have to pay the salary of the security guard and any costs of making building and network changes to ensure the data can only be accessed in the secure space.
– HLGEM
Jul 22 '15 at 15:15
Having worked for DoD in a building that contained highly classified information, yes this is what it takes. However, if the client is anyone except DoD or a similar agency that handles classified information, I would at least try to push back the requirement by telling them that if they want that level of security, they will have to pay the salary of the security guard and any costs of making building and network changes to ensure the data can only be accessed in the secure space.
– HLGEM
Jul 22 '15 at 15:15
And to be sure the data was not being stolen, they would also have to check all papers removed from the space (you could hand write the data you wanted to steal) and ensure no other types of data recording devices (thumb drives, backup tapes, etc.) are removed from the room except physical, encrypted backup tapes being sent to an offsite location.
– HLGEM
Jul 22 '15 at 15:19
And to be sure the data was not being stolen, they would also have to check all papers removed from the space (you could hand write the data you wanted to steal) and ensure no other types of data recording devices (thumb drives, backup tapes, etc.) are removed from the room except physical, encrypted backup tapes being sent to an offsite location.
– HLGEM
Jul 22 '15 at 15:19
suggest improvements |Â
up vote
1
down vote
But that audit point is just silly. When you consider the risk profile of protecting data that alone does nothing. That is just someone coming up with an audit point.
In a recent audit by one of our client they advised to block mobile
phones inside office campus.
There are two problems with that.
- Mobile phone are not the only way to take a snapshot
- If the data is available inside office campus that alone is the bigger risk profile
Even silly I bet the client meant block a cell phone physically not just block usage.
A serious security audit would have items like
- Do you have a training program regarding customer data security and
confidentiality - Do employees sign a customer data security and confidentiality
policy - Do you perform a background check on all emplyees
- Do you limit employee access to customer data to only those on the
project - Do you have an audit trail of which employees accessed customer data
It is not reasonable to secure a campus of cell phone nor restrict an employee from a cell phone at their desk.
If the data is that confidential then the data should be restricted to a clean room void of printers and USB devices. Restricted access and no recording devices.
If data is available on the general campus then restricting cell phones is not going to protect data if someone wants to copy it.
As for the direct question "how to implement it?".
If it is block cell phones on the campus then don't.
Tell the customer that block cell phone on the entire campus is not readily enforceable and puts an undue burden on employees. Don't add it does not really secure the data.
Propose another reasonable security policy and practice. Or if you have a reasonable security policy and practice in place currently then just report the existing.
answered Jul 22 '15 at 15:14
paparazzo
33.3k657106
suggest improvements |Â
up vote
1
down vote
But that audit point is just silly. When you consider the risk profile of protecting data that alone does nothing. That is just someone coming up with an audit point.
In a recent audit by one of our client they advised to block mobile
phones inside office campus.
There are two problems with that.
- Mobile phone are not the only way to take a snapshot
- If the data is available inside office campus that alone is the bigger risk profile
Even silly I bet the client meant block a cell phone physically not just block usage.
A serious security audit would have items like
- Do you have a training program regarding customer data security and
confidentiality - Do employees sign a customer data security and confidentiality
policy - Do you perform a background check on all emplyees
- Do you limit employee access to customer data to only those on the
project - Do you have an audit trail of which employees accessed customer data
It is not reasonable to secure a campus of cell phone nor restrict an employee from a cell phone at their desk.
If the data is that confidential then the data should be restricted to a clean room void of printers and USB devices. Restricted access and no recording devices.
If data is available on the general campus then restricting cell phones is not going to protect data if someone wants to copy it.
As for the direct question "how to implement it?".
If it is block cell phones on the campus then don't.
Tell the customer that block cell phone on the entire campus is not readily enforceable and puts an undue burden on employees. Don't add it does not really secure the data.
Propose another reasonable security policy and practice. Or if you have a reasonable security policy and practice in place currently then just report the existing.
answered Jul 22 '15 at 15:14
paparazzo
33.3k657106
suggest improvements |Â
up vote
1
down vote
up vote
1
down vote
But that audit point is just silly. When you consider the risk profile of protecting data that alone does nothing. That is just someone coming up with an audit point.
In a recent audit by one of our client they advised to block mobile
phones inside office campus.
There are two problems with that.
- Mobile phone are not the only way to take a snapshot
- If the data is available inside office campus that alone is the bigger risk profile
Even silly I bet the client meant block a cell phone physically not just block usage.
A serious security audit would have items like
- Do you have a training program regarding customer data security and
confidentiality - Do employees sign a customer data security and confidentiality
policy - Do you perform a background check on all emplyees
- Do you limit employee access to customer data to only those on the
project - Do you have an audit trail of which employees accessed customer data
It is not reasonable to secure a campus of cell phone nor restrict an employee from a cell phone at their desk.
If the data is that confidential then the data should be restricted to a clean room void of printers and USB devices. Restricted access and no recording devices.
If data is available on the general campus then restricting cell phones is not going to protect data if someone wants to copy it.
As for the direct question "how to implement it?".
If it is block cell phones on the campus then don't.
Tell the customer that block cell phone on the entire campus is not readily enforceable and puts an undue burden on employees. Don't add it does not really secure the data.
Propose another reasonable security policy and practice. Or if you have a reasonable security policy and practice in place currently then just report the existing.
answered Jul 22 '15 at 15:14
paparazzo
33.3k657106
But that audit point is just silly. When you consider the risk profile of protecting data that alone does nothing. That is just someone coming up with an audit point.
In a recent audit by one of our client they advised to block mobile
phones inside office campus.
There are two problems with that.
- Mobile phone are not the only way to take a snapshot
- If the data is available inside office campus that alone is the bigger risk profile
Even silly I bet the client meant block a cell phone physically not just block usage.
A serious security audit would have items like
- Do you have a training program regarding customer data security and
confidentiality - Do employees sign a customer data security and confidentiality
policy - Do you perform a background check on all emplyees
- Do you limit employee access to customer data to only those on the
project - Do you have an audit trail of which employees accessed customer data
It is not reasonable to secure a campus of cell phone nor restrict an employee from a cell phone at their desk.
If the data is that confidential then the data should be restricted to a clean room void of printers and USB devices. Restricted access and no recording devices.
If data is available on the general campus then restricting cell phones is not going to protect data if someone wants to copy it.
As for the direct question "how to implement it?".
If it is block cell phones on the campus then don't.
Tell the customer that block cell phone on the entire campus is not readily enforceable and puts an undue burden on employees. Don't add it does not really secure the data.
Propose another reasonable security policy and practice. Or if you have a reasonable security policy and practice in place currently then just report the existing.
answered Jul 22 '15 at 15:14
paparazzo
33.3k657106
answered Jul 22 '15 at 15:14
paparazzo
33.3k657106
answered Jul 22 '15 at 15:14
paparazzo
33.3k657106
answered Jul 22 '15 at 15:14
paparazzo
33.3k657106
33.3k657106
suggest improvements |Â
suggest improvements |Â
up vote
1
down vote
Cell phone jammers are illegal in many jurisdictions, and would not stop pictures from being taken. However cell phone detectors are fairly straightforward to buy and use. Post a detector at each entrance and ask people stopped entering with a cellphone to leave it in their cars. Once inside, either issue a cell phone without a camera to each person who needs it, or use land lines. Depending on the client and the data, they may be under legal restrictions on how secure the data must be. For example a government contractor handling classified material must implement safeguards.
answered Jul 22 '15 at 13:21
kleineg
926622
suggest improvements |Â
up vote
1
down vote
Cell phone jammers are illegal in many jurisdictions, and would not stop pictures from being taken. However cell phone detectors are fairly straightforward to buy and use. Post a detector at each entrance and ask people stopped entering with a cellphone to leave it in their cars. Once inside, either issue a cell phone without a camera to each person who needs it, or use land lines. Depending on the client and the data, they may be under legal restrictions on how secure the data must be. For example a government contractor handling classified material must implement safeguards.
answered Jul 22 '15 at 13:21
kleineg
926622
suggest improvements |Â
up vote
1
down vote
up vote
1
down vote
Cell phone jammers are illegal in many jurisdictions, and would not stop pictures from being taken. However cell phone detectors are fairly straightforward to buy and use. Post a detector at each entrance and ask people stopped entering with a cellphone to leave it in their cars. Once inside, either issue a cell phone without a camera to each person who needs it, or use land lines. Depending on the client and the data, they may be under legal restrictions on how secure the data must be. For example a government contractor handling classified material must implement safeguards.
answered Jul 22 '15 at 13:21
kleineg
926622
Cell phone jammers are illegal in many jurisdictions, and would not stop pictures from being taken. However cell phone detectors are fairly straightforward to buy and use. Post a detector at each entrance and ask people stopped entering with a cellphone to leave it in their cars. Once inside, either issue a cell phone without a camera to each person who needs it, or use land lines. Depending on the client and the data, they may be under legal restrictions on how secure the data must be. For example a government contractor handling classified material must implement safeguards.
answered Jul 22 '15 at 13:21
kleineg
926622
edited Mar 9 '17 at 18:28
answered Jul 22 '15 at 13:21
kleineg
926622
answered Jul 22 '15 at 13:21
kleineg
926622
answered Jul 22 '15 at 13:21
kleineg
926622
926622
suggest improvements |Â
suggest improvements |Â
up vote
0
down vote
Based on the comment replies and the question itself, this sounds very much like a management team attempting to formulate policy on topics for which they have absolutely no understanding either of the technology or of the actual risk being mitigated.
Unless this client has deep, deep pockets and "drives" the business (meaning that if this client were to leave it would be extremely disastrous), the expense to enforce such a restriction is prohibitive. However, if the risk is genuine and affects all clients, then it might just need to be implemented anyway simply to avoid the possibility of harmful litigation or industrial damage (such as the leaking of trade secrets or proprietary information).
Short of putting in metal detectors and security personnel to perform searches of employees both entering and exiting the facilities, the only real deterrent will be monitoring and punishment. People who come in contact with sensitive data will need to be made aware of their responsibilities and the repercussions of disseminating that information through any means (cell phone or not).
If your management puts in a policy of "no phones on campus", then there must be strict punishment guidelines and security personnel should be given the equipment necessary to to monitor work areas. There are several precedents for these kinds of policies. Both Microsoft and Apple have similar policies regarding the taking of pictures on their campuses, and they've been moderately successful at maintaining these policies.
answered Jul 22 '15 at 13:11
Joel Etherton
8,1062838
suggest improvements |Â
up vote
0
down vote
Based on the comment replies and the question itself, this sounds very much like a management team attempting to formulate policy on topics for which they have absolutely no understanding either of the technology or of the actual risk being mitigated.
Unless this client has deep, deep pockets and "drives" the business (meaning that if this client were to leave it would be extremely disastrous), the expense to enforce such a restriction is prohibitive. However, if the risk is genuine and affects all clients, then it might just need to be implemented anyway simply to avoid the possibility of harmful litigation or industrial damage (such as the leaking of trade secrets or proprietary information).
Short of putting in metal detectors and security personnel to perform searches of employees both entering and exiting the facilities, the only real deterrent will be monitoring and punishment. People who come in contact with sensitive data will need to be made aware of their responsibilities and the repercussions of disseminating that information through any means (cell phone or not).
If your management puts in a policy of "no phones on campus", then there must be strict punishment guidelines and security personnel should be given the equipment necessary to to monitor work areas. There are several precedents for these kinds of policies. Both Microsoft and Apple have similar policies regarding the taking of pictures on their campuses, and they've been moderately successful at maintaining these policies.
answered Jul 22 '15 at 13:11
Joel Etherton
8,1062838
suggest improvements |Â
up vote
0
down vote
up vote
0
down vote
Based on the comment replies and the question itself, this sounds very much like a management team attempting to formulate policy on topics for which they have absolutely no understanding either of the technology or of the actual risk being mitigated.
Unless this client has deep, deep pockets and "drives" the business (meaning that if this client were to leave it would be extremely disastrous), the expense to enforce such a restriction is prohibitive. However, if the risk is genuine and affects all clients, then it might just need to be implemented anyway simply to avoid the possibility of harmful litigation or industrial damage (such as the leaking of trade secrets or proprietary information).
Short of putting in metal detectors and security personnel to perform searches of employees both entering and exiting the facilities, the only real deterrent will be monitoring and punishment. People who come in contact with sensitive data will need to be made aware of their responsibilities and the repercussions of disseminating that information through any means (cell phone or not).
If your management puts in a policy of "no phones on campus", then there must be strict punishment guidelines and security personnel should be given the equipment necessary to to monitor work areas. There are several precedents for these kinds of policies. Both Microsoft and Apple have similar policies regarding the taking of pictures on their campuses, and they've been moderately successful at maintaining these policies.
answered Jul 22 '15 at 13:11
Joel Etherton
8,1062838
Based on the comment replies and the question itself, this sounds very much like a management team attempting to formulate policy on topics for which they have absolutely no understanding either of the technology or of the actual risk being mitigated.
Unless this client has deep, deep pockets and "drives" the business (meaning that if this client were to leave it would be extremely disastrous), the expense to enforce such a restriction is prohibitive. However, if the risk is genuine and affects all clients, then it might just need to be implemented anyway simply to avoid the possibility of harmful litigation or industrial damage (such as the leaking of trade secrets or proprietary information).
Short of putting in metal detectors and security personnel to perform searches of employees both entering and exiting the facilities, the only real deterrent will be monitoring and punishment. People who come in contact with sensitive data will need to be made aware of their responsibilities and the repercussions of disseminating that information through any means (cell phone or not).
If your management puts in a policy of "no phones on campus", then there must be strict punishment guidelines and security personnel should be given the equipment necessary to to monitor work areas. There are several precedents for these kinds of policies. Both Microsoft and Apple have similar policies regarding the taking of pictures on their campuses, and they've been moderately successful at maintaining these policies.
answered Jul 22 '15 at 13:11
Joel Etherton
8,1062838
answered Jul 22 '15 at 13:11
Joel Etherton
8,1062838
answered Jul 22 '15 at 13:11
Joel Etherton
8,1062838
answered Jul 22 '15 at 13:11
Joel Etherton
8,1062838
8,1062838
suggest improvements |Â
suggest improvements |Â
15
Just out of curiosity, how does a cell phone jammer stop the phone's camera? If the concern is actually that employees will take pictures of client data, then you're going to have to search every employee as they come through the door.
– Joel Etherton
Jul 22 '15 at 12:40
7
If your problem is mobile phone cameras why do you think connectivity is relevant? Also, frequency jamming is illegal in a lot of jurisdictions anyway.
– Nathan Cooper
Jul 22 '15 at 12:43
11
Refuse the request, trust your employees, and put severe consequences in place for anyone caught photographing sensitive materials. This kind of problem is typically the domain of defense contractors handling "top secret" info-- they're somewhat justified in taking draconian approaches, but unless you're handling life or death issues, it would be ridiculous to ban phones.
– teego1967
Jul 22 '15 at 12:53
2
@JoelEtherton Yes. Maybe I'm not familiar with the available technology, but my understanding is that cell phone jammers would stop people from making or receiving cell phone calls. They would do nothing to prevent someone from taking a picture. Your proposed solution creates a whole bunch of problems, while doing absolutely zero to solve the original problem. If the problem was that employees were spending a lot of time on personal calls, a cell phone jammer would be a plausible solution.
– Jay
Jul 22 '15 at 13:08
2
RE "Employees gradually think it is no use bringing mobile phones inside" This would only apply to employees who want to use their mobile phones to make calls. If an employee is planning on using the camera to steal proprietary information, the fact that he can't make calls is irrelevant. So the policy is only effective against employees who have no plans to do the thing that you're really worried about, while having no effect on any who might actually be a problem. Unless, I suppose, your fear is that employees will ACCIDENTALLY photograph sensitive information while taking selfies.
– Jay
Jul 22 '15 at 13:15